Data Protection Policy

OllyGarden, Inc. | Last Updated: July 2, 2025

Purpose

This policy outlines many of the procedures and technical controls in support of data protection.

Scope

Production systems that create, receive, store, or transmit OllyGarden, Inc. customer data (hereafter "Production Systems") must follow the requirements and guidelines described in this policy.

Roles and Responsibilities

• End Users

• End Customers

Policy

OllyGarden, Inc. policy requires that:

• Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable.

• Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository.

• Employees shall not have direct administrative access to production data during normal business operations. Exceptions include emergency operations such as forensic analysis and manual disaster recovery.

• All Production Systems must disable services that are not required to achieve the business purpose or function of the system.

• All access to Production Systems must be logged.

• All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.

Data Protection Implementation and Processes

Customer Data Protection

OllyGarden, Inc. hosts on "Google Cloud Platform (GCP)" in the eu-west-4 region by default. Data is replicated across multiple regions for redundancy and disaster recovery.

All OllyGarden, Inc. employees adhere to the following processes to reduce the risk of compromising Production Data:

• Implement and/or review controls designed to protect Production Data from improper alteration or destruction.

• Ensure that confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.

• Ensure OllyGarden, Inc. Customer Production Data is segmented and only accessible to Customers authorized to access data.

• All Production Data at rest is stored on encrypted volumes using encryption keys managed by OllyGarden, Inc.

• Volume encryption keys and machines that generate volume encryption keys are protected from unauthorized access. Volume encryption key material is protected with access controls such that the key material is only accessible by privileged accounts.

Access

OllyGarden, Inc. employee access to production is guarded by an approval process and is disabled by default. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the security team on a case by case basis.

Separation

Customer data will be logically separated at the database/datastore level using a unique identifier for the customer. The separation is enforced at the API layer, where the client must authenticate with a chosen account, and then the customer's unique identifier is included in the access token and used by the API to restrict access to data to the account. All database/datastore queries then include the account identifier.

Alternatively, dedicated resources (database, compute) will be allocated to each customer so that customers cannot impact or access data or resources of other customers.

Data Leakage Prevention

OllyGarden, Inc. will implement data leakage prevention mechanisms to systems that process, store or transmit sensitive information. These mechanisms will be configured to prevent data leakage (e.g., through email or other messaging technologies) and generate audit logs and alerts.

Monitoring

OllyGarden, Inc. uses Google Cloud Platform, and Grafana Cloud to monitor the entire cloud service operation (monitoring and internal reporting capabilities are used to report on cryptographic operations, encryption, and key management policies, processes, procedures, and controls). If a system failure and alarm are triggered, key personnel are notified by text, chat, and/or email message to take appropriate corrective action.

OllyGarden, Inc. uses a security agent to monitor production systems. The agents monitor system activities, generate alerts on suspicious activities, and report on vulnerability findings to a centralized management console.

Confidentiality/Non-Disclosure Agreement (NDA)

OllyGarden, Inc. uses confidentiality or non-disclosure agreements to protect confidential information using legally enforceable terms. NDAs are applicable to both internal and external parties. NDAs will have the following elements:

• Definition of the information to be protected

• Duration of the agreement

• Required actions upon termination of the agreement

• Responsibilities and actions to avoid unauthorized disclosure

• Ownership of information, trade secrets, and intellectual property

• Permitted use of the confidential information and rights to use information

• Audit and monitor activities that involve confidential information

• Process of notification and reporting of unauthorized disclosure or information leakage

• Information return or destruction terms when the agreement is terminated

• Actions in case of breach of agreement

• Periodic review

Data At Rest

Encryption

All databases, data stores, and file systems are encrypted in accordance with OllyGarden, Inc.'s Encryption Policy.

Storage and Disposal

Stored data must be properly stored and handled while at rest. Considerations for storage and disposal of data at rest in conjunction with OllyGarden, Inc. Asset Management Policy, Data Classification Policy and Data Retention Policy include:

• Authorization to access or manage stored data

• Proper identification of records and their retention period

• Technology change and ability to access data throughout retention period

• Acceptable timeframe and format to retrieve data

• Appropriate methods of disposal

Data Deletion

Stored sensitive data that is no longer required will be properly deleted in accordance with OllyGarden, Inc.'s business objectives, retention policies, applicable laws and regulations, and relevant third-party agreements. A record of such deletion will be kept.

Hard-copy materials with sensitive data will be destroyed when no longer needed for business or legal reasons through secure means (e.g., shredding, pulping, incinerating, etc.) so that the data cannot be reconstructed. Hard copy materials will be stored in secure storage containers prior to destruction.

Electronic media with sensitive data will be destroyed or rendered unrecoverable when no longer needed for business or legal reasons. Data on hardware (e.g, hard drives) will be disposed of through secure means, such as wiping or hard drive destruction.

Data in Transit

Necessity

Data will only be transferred where strictly necessary for effective business processes.

Transfer Factors

Before choosing the method of data transfer, the following must be considered:

• Nature, sensitivity, confidentiality, and value of the information

• Size of data being transferred

• Impact of loss during transit

Encryption

To ensure the safety of data in transit:

• All external data transmission must be encrypted end-to-end. This includes, but is not limited to, cloud infrastructure and third party vendors and applications.

• All internet and intranet connections are encrypted and authenticated using a strong protocol, a strong key exchange, and a strong cipher.

Movement of Media

• Media with sensitive data sent outside the company's facilities will be logged, securely transmitted (e.g., via secure courier or other trackable method), and captured within offsite tracking logs to include details about media location.

• Management will approve all media with sensitive data that is moved outside the facility (including when media is distributed to individuals). Documentation of management's approval for the movement of media will be retained.

• Packaging of media will be sufficient to protect the contents from any physical damage during transport and in accordance with any manufacturers' specifications.

• Inventory logs of all electronic media with sensitive data will be maintained.

• A separate log or a clearly-defined section of the overall record shall be designated specifically for media containing ePHI.

• Removable media devices, such as USB drives, digital video disks, compact disks, external or removable hard disks, etc., that contain sensitive data will be encrypted to protect the confidentiality of the information during movement.

Information Exchange

Information will be exchanged between OllyGarden, Inc.'s system and other information systems only as authorized through a Privacy Policy Agreement, which include:

• Interface characteristics

• Security and privacy requirements, controls, and responsibilities for each system

• Impact level of the information communicated

The agreement(s) will be reviewed and updated every year, or as needed.

End-user Messaging Channels

• Restricted and sensitive data is not allowed to be sent over electronic end-user messaging channels such as email or chat, unless end-to-end encryption is enabled.

• Messages must be protected from unauthorized access, modification or denial of service commensurate with the classification scheme adopted by the organization.

• Messages must be reviewed prior to sending to ensure correct addressing and transportation of the message.

• The reliability and availability of the messaging channel must be verified.

• All applicable legal requirements will be adhered to.

• Use of external public services such as instant messaging, social networking or file sharing will require prior approval and authorization.

• Publicly accessible networks will be controlled by stronger authentication.

Revision History

Version	Date	Editor	Approver	Description of Changes	Format
1.0	02.07.2025	Yuri Oliveira	Juraci Paixão